MFH: Added overflow checks to wordwrap() function.

diff --git a/NEWS b/NEWS
index c4a4bb64429fdd60ffb2071cde3f07a66bec49ab..43b178b36d60721ccdc0fb177a1548545580a89e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2006, Version 4.4.3
 - Updated PCRE to version 6.6. (Andrei)
+- Added overflow checks to wordwrap() function. (Ilia)
 - Added a check for special characters in the session name. (Ilia)
 - Fixed bug #36459 (Incorrect adding PHPSESSID to links, which contains \r\n).
   (Ilia)

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 6efe67f64143fdc71f4a57c477138c6509f26f48..cd7b6b1f2b3bcafab69b355b04cc17694db2bdbb 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -672,15 +672,13 @@ PHP_FUNCTION(wordwrap)
                /* Multiple character line break or forced cut */
                if (linelength > 0) {
                        chk = (int)(textlen/linelength + 1);
+                       newtext = safe_emalloc(chk, breakcharlen, textlen + 1);
                        alloced = textlen + chk * breakcharlen + 1;
                } else {
                        chk = textlen;
+                       newtext = safe_emalloc(textlen, (breakcharlen + 1), 1);
                        alloced = textlen * (breakcharlen + 1) + 1;
                }
-               if (alloced <= 0) {
-                       RETURN_FALSE;
-               }
-               newtext = emalloc(alloced);
 
                /* now keep track of the actual new text length */
                newtextlen = 0;